Vaccine Passports Could Expose Personal Health Information
April 30th, 2021
Subscribe to our blog and stay up to date
The idea of requiring COVID-19 vaccine passports to enable people to travel, attend public events, or enter their places of work has generated quite a bit of political discourse in recent weeks. And while some governors are banning the passports altogether on the grounds that they violate personal freedoms, there’s another concern relative to vaccine passports that needs to be addressed: the increased exposure of personally identifiable information (PII) or protected health information (PHI).
The problem is that COVID-19 testing and vaccination records from the CDC contain dates of birth (DOBs), which are key ingredients in fraudulent credit card applications and other forms of financially motivated identity theft.
PHI from healthcare data breaches typically commands higher prices on dark web marketplaces where attackers sell it, because PHI is more likely than non-health PII to contain DOBs, Social Security numbers, and other key ingredients in identity theft. So, it only makes sense that vaccine passports are likely to become targets for criminals looking for PHI that contains DOBs.
Another risk is that criminals might compromise legitimate vaccine passports for fraudulent use by unauthorized third parties, which would have public health implications. A black market for stolen vaccine passports is likely to emerge, given the scale of vaccine resistance in the United States, as well as the difficulty in obtaining vaccinations in other countries.
In this scenario, people unwilling or unable to receive vaccinations would pay for unauthorized access to compromised vaccine passports for their own use. The public health ramifications could be serious if, for example, an unvaccinated person who might be carrying the virus gets on a plane or dines in a restaurant and infects other people.
Digital Solutions Need Improvement
New York state has begun offering downloads of an app that would appear to solve the DOB issue by generating a QR code on your smartphone that can verify whether someone is fully vaccinated or has recently tested negative. The app can be scanned to produce a green check mark or a red X, and the system is being used at places like Madison Square Garden, Barclays Center, and Yankee Stadium.
However, in order to use the app, people have to enter information into the system, which appears a bit buggy. The software appears to give criminals an opportunity to compromise legitimate vaccination records with a combination of names, DOBs, and zip codes, which fraudsters can easily obtain from PII databases in underground criminal communities.
Criminals can buy and sell compromised US data in bulk by state, so it would be easy for them to target New York, in particular, for such attacks. The second stage of the authentication process challenges users to provide details of their vaccination – date, county, and manufacturer. But the system provides a multiple-choice format and allows unlimited guesses, which could enable attackers to compromise legitimate records, particularly if they automate the guessing process in a type of brute force attack.
Also, the Excelsior Pass application does not require a password, which could make it easier to compromise in a mobile malware attack.
Be Aware of the Risks
The use of vaccine passports poses security and privacy risks that warrant careful consideration by policymakers, businesses, and the general public. There are ways to double-check if a passport is fraudulent by requiring the person to also present a second form of identification. But any type of vaccine passport system should not require people to expose their DOBs.
Lastly, don’t make it easier for the criminals – don’t post photos of your CDC vaccination card (which has your DOB information) on social media.
Want to learn more about the cyber threat landscape in your business environment? Check out our research reports here.
Paul Prudhomme is Head of Threat Intelligence Advisory at IntSights. He previously served as a leader of the cyber threat intelligence subscription service at Deloitte and as an individual contributor to that of iDefense. Prior to that Paul covered cyber issues as a contractor in the US Intelligence Community. Paul specializes in the coverage of state-sponsored cyber threats, particularly those from Iran. He originally served as a linguist and cultural advisor and speaks multiple languages, including Arabic. Paul has a Master’s degree in History from Georgetown University. He is also a certified scuba diver and an award-winning amateur underwater photographer.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.